Combined Privacy Notice and Information Document
In accordance with the Data Protection Act and the General Data Protection Regulation of the European Union (2016/679/EU)
Data Controller
Blikbo Oy
Contact Person for Data Protection issue
Paul Fager
paul.fager@blikbo.com
Name of the Register and Data Content
Blikbo Oy
General on the Processing of Personal Data
To the extent that the Customer Register contains personal data, its processing complies with the Data Protection Act and other applicable laws, regulations, decrees, and official guidelines concerning the processing of personal data. Personal data means information relating to an identified or identifiable natural person.
This document describes in more detail the procedures for collecting, processing, and disclosing personal data, as well as the rights of the customer (data subject).
Purpose of Collecting Personal Data
- Contractual, customer, or similar relationship
- The purpose of the Customer Register is to manage the controller’s:
- Contractual or customer relationship with the client (e.g., developer or real estate agency)
- Relationship related to the assignment with the counterparty of the client (e.g., developer or real estate agency)
- Contractual relationship with the user of an appraisal assignment or other expert service
Purpose of Use of the Data
- The data contained in the Customer Register may be used for the following primary purposes:
- Managing and developing the customer relationship
- Producing, offering, developing, improving, and securing services
- Invoicing, debt collection, and verification of customer transactions
- Targeted advertising (remarketing and direct marketing)
- Analysis and statistics concerning services
- Customer communication, (direct) marketing, and advertising where the counterparty is a developer or real estate agency
- Protecting and safeguarding the rights and/or property of the controller and other persons or parties connected to assignments
- Fulfilling the controller’s statutory obligations
- Other similar purposes
Consequences of Not Providing Data
If the controller does not receive the data referred to in sections a), b), and c), the customer relationship cannot be initiated or continued, nor can another agreement be entered into or legal transaction carried out with the Customer. If sufficient information to identify a visitor is not obtained at a property viewing, the person may not be allowed to attend the viewing.
Data Content of the Customer Register
Assignment details and their attachments may include or process the following categories of data:
- Basic customer information, such as full name, address, language
- Personal identity code and possibly business ID of a person acting on their own behalf or on behalf of a company, for reliable identification
- Data relating to the customer relationship and contractual relationship, such as services offered to the customer
- Permissions and prohibitions, such as direct marketing consents and bans
- Interests and other information provided by the customer
- Other service-related transaction data
- Complaints and information regarding their handling
Data Retention Period
Assignment diary data are retained for ten (10) years after the end of the assignment.
Other personal data are deleted once there is no longer a need to retain them. If the collection and retention of personal data has been based solely on the customer’s consent, the data will be deleted upon request.
Regular Sources of Data
Personal data are collected from the customer directly in connection with the assignment agreement, purchase or rental offer, other assignment-related events, fulfillment of due diligence obligations, and preparation of documents, when using the controller’s services, or otherwise directly from the customer (e.g., in housing and property showings).
Personal data may also be collected and updated from, for example, property management companies, the population register, other official registers, and credit information registers.
Consent-based data are collected directly from the customer or, with their consent, from registers or sources maintained by an authority or a third party.
Disclosure of Data
The controller may disclose personal data within the limits and obligations permitted by applicable law, as well as for the fulfillment of an agreement between the parties or where there is a legitimate connection.
Data are not regularly transferred outside the European Union or the European Economic Area. However, data may be transferred or disclosed outside the EU/EEA in a legally permissible manner if transferred to a country that the European Commission has determined ensures an adequate level of data protection, or where adequate protection is ensured by contractual arrangements. Transfers outside the EU may also temporarily occur in connection with the use of cloud services, such as OneDrive, iCloud, or Dropbox.
Data may be disclosed to authorities where required by law.
In connection with outsourcing of IT management, personal data may also be processed by the controller’s subcontractors, but only on behalf of the controller. Such subcontractors may include, for example, [insert examples].
Principles of Register Protection
Access to the register requires a user ID granted by the register’s main administrator. The main administrator also defines the access rights levels granted to other users. Only those employees of the controller and employees of subcontractors who require access to the data for their work tasks are granted access.
Data are stored in service databases protected by firewalls, passwords, and other technical means. The databases are located in locked and guarded premises, and only specific, pre-designated individuals have access to the data.
Where personal data are processed by a subcontractor on behalf of the controller, appropriate safeguards are ensured by agreements between the controller and subcontractor, ensuring compliance with data protection legislation.
Customer Rights
Right of Access, Receiving, and Transfer
The customer has the right to inspect what data concerning them have been stored in the customer register. Requests for inspection must be submitted in writing, signed personally or in another verifiable form, or by email.
The controller provides the above information to the customer within 30 days of the request.
The customer has the right to receive the customer data they have provided in a structured, commonly used, machine-readable format and to transfer such data to a third party. The controller retains the transferred data in accordance with this Privacy Notice.
Right to Rectification
The customer has the right to have any incorrect personal data concerning them corrected.
Right to Object, Restrict, and Erase
The customer has the right to object to the processing of their personal data for direct marketing, distance selling, and other direct marketing purposes, as well as for market and opinion research and for the development of the controller’s business. The customer also has the right to restrict the processing of their personal data and to have personal data already recorded for such purposes erased, even if there is otherwise a basis for processing.
Right to Withdraw Consent
If the data in the register are based on the customer’s consent, the consent may be withdrawn at any time by notifying the controller’s representative listed in this notice. Upon request, all data not required or permitted to be retained by law or other grounds stated in this Privacy Notice will be deleted.
Procedure for Exercising Rights
Requests for access, rectification, or other rights may be submitted by contacting the controller’s customer service using the contact details provided in this notice.
Disputes
The customer has the right to refer the matter to the Data Protection Ombudsman if the controller does not comply with the customer’s request for rectification or other request.
Profiling and Automated Decision-Making
The controller does not carry out profiling or use automated decision-making concerning the customer based on personal data.
Cookies